Tomcat WebServer Logs Deleted

Hunt Hypothesis

The deletion of Tomcat WebServer logs may indicate an adversary attempting to remove forensic evidence to obscure their presence and activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or tampering efforts early.

Detection Rule

Sigma (Original)

title: Tomcat WebServer Logs Deleted
id: 270185ff-5f50-4d6d-a27f-24c3b8c9fef8
status: test
description: Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence
references:
    - Internal Research
    - https://linuxhint.com/view-tomcat-logs-windows/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-16
tags:
    - attack.defense-evasion
    - attack.t1070
logsource:
    category: file_delete
    product: windows
detection:
    selection:
        TargetFilename|contains|all:
            - '\Tomcat'
            - '\logs\'
        TargetFilename|contains:
            - 'catalina.'
            - '_access_log.'
            - 'localhost.'
    condition: selection
falsepositives:
    - During uninstallation of the tomcat server
    - During log rotation
level: medium

KQL (Azure Sentinel)

imFileEvent
| where (TargetFileName contains "\\Tomcat" and TargetFileName contains "\\logs\\") and (TargetFileName contains "catalina." or TargetFileName contains "_access_log." or TargetFileName contains "localhost.")

False Positive Guidance

• Scenario: Scheduled log rotation or cleanup job executed by logrotate
  Filter/Exclusion: Check for logrotate process or presence of /etc/logrotate.d/tomcat configuration

• Scenario: System administrator manually deleting old logs using rm or find command
  Filter/Exclusion: Check for presence of sudo or root user context, or use of find with -mtime parameter

• Scenario: Tomcat log files being purged as part of a routine maintenance task via cron job
  Filter/Exclusion: Filter for cron job entries in /var/spool/cron or check for crontab -l output referencing log cleanup

• Scenario: Log files being deleted by a third-party monitoring or compliance tool (e.g., Splunk, Graylog, or ELK)
  Filter/Exclusion: Check for presence of tool-specific log directories or use of tool-specific log management processes

• Scenario: Temporary deletion of logs during a system audit or security incident response by a security team
  Filter/Exclusion: Check for presence of incident response or audit in the user session or command history (e.g., history or script logs)

MITRE ATT&CK Context

• Tactic: Defense Evasion
• Technique: T1070